Publication Date – September 12, 2023
Each DNSSEC risk vector issue has a message shown in Findings as an individual entry, along with the associated IP address. For instance, “DSA public key is less than 2048 bits.” The text in the remediation column is also available in the platform. Remediation is guidance on how to resolve the issue so that it no longer adversely impacts the organization’s Bitsight Security Rating.
GOOD
In order to be grade as GOOD, the domain should have DNSSEC enabled and should be properly configured. The certificate must adhere to the following rules:
- It must be encrypted using a secure hash algorithm with a sufficiently long key.
- It must have a validated chain of trust.
WARN
The presence of these issues affects an organization’s Bitsight Security Rating. They should be remediated as soon as possible.
| Message | Description | Remediation Instructions |
|---|---|---|
| DSA public key is less than 2048 bits | Keys shorter than 2048 bits may be insecure. | You will need to create a new Zone Signing Key, using the DSA algorithm, with a key strength greater than or equal to 2048 bits. See the technical overview of DNSSEC key generation. |
| Parent zone is not properly signed | This parent zone has a signature that fails validation. | The top-level domain (.com, .org, etc.) has a bad DS record with the root server zone (possibly outdated) that will need to be resubmitted. |
| RSA public key is less than 2048 bits | Keys shorter than 2048 bits may be insecure. | You will need to generate a new Zone Signing Key, using the RSA algorithm, with a key strength greater than or equal to 2048 bits. See the technical overview of DNSSEC key generation. |
BAD
The presence of these issues affects an organization’s Bitsight Security Rating. They should be remediated as soon as possible.
| Message | Description | Remediation Instructions |
|---|---|---|
| does not have a validated chain of trust | Somewhere in the chain of trust, a domain is missing a DNSKEY and/or DS record. | Examine the implemented methods of trusting keys on your DNS server. If you are manually managing trust anchors, you may have outdated anchors, and will want to download new anchors or switch your method to automatic. See Trusted Keys and Managing Keys for more information. |
| DNSKEY record found but no DS record found | This company has configured DNSSEC within their infrastructure, but failed to submit the DS record to the parent zone. | Make sure that your DS record has been entered through your domain registrar’s control panel. See How To Setup DNSSEC on an Authoritative BIND DNS Server for instructions. |
| DNSSEC is misconfigured on this domain or the parent zone | The NSEC/NSEC3 record is missing for this domain on the parent zone. | Ensure your authenticated denial of existence (NSEC) resource records are properly formatted, according to RFC-4034, Resource Records for the DNS Security Extensions. |
| Domain is not configured on authoritative name servers | The name server(s) delegated as authoritative for this domain do not have a zone specified for it. | Ensure your domain name servers are configured to respond to queries for your domain and remove any entries from your zone file that are misconfigured. |
| DS record found but no DNSKEY record found | This company has submitted a DS record to the parent zone, but has not configured DNSSEC within their infrastructure. | Add your DNSKEY to your DNS records through your registrar’s management interface. |
| DSA public key is less than 1024 bits | Keys shorter than 1024 bits can be broken with consumer devices. A key length of 2048 bits is recommended. | You will need to generate a new Zone Signing Key, using the DSA algorithm, with a key strength greater than or equal to 1024 bits. To avoid a WARN grade on your new key pair, use 2048 bits or greater. See the technical overview of DNSSEC key generation. |
| Insecure hash algorithm | The algorithm encrypting this traffic has a known vulnerability, making the connection susceptible to man-in-the-middle (MITM) attacks. | You will need to generate a new Zone Signing Key, using an algorithm which does not contain MD2 or MD5 (for example, SHA512). See the technical overview of DNSSEC key generation. |
| is not signed correctly | There is no matching RRSIG for the domain/record or the RRSIG is invalid. | Make sure your DNS zone file includes a RRSIG resource for each type of record on a host. They should have valid inception and expiration date fields, as defined in RFC-4034. |
| Malformed record on | This record is either poorly configured or does not exist. | Check your original keys and zone records. Ensure they are configured according to the standards set in RFC-4033. See dnssec.net for practical documents related to DNSSEC setup. |
| Misconfigured name server record for | There is a problem with this name server record that makes it ineffective. | Ensure your zone file, keys, and DS record have been generated and are properly configured, according to RFC-4034. |
| No SOA record | No authoritative information, such as primary server name or domain serial number could be found for this host. | The Start of Authority (SOA) record must be included in the zone file as a resource record and must be the first resource record. See Chapter 8, Resource Records for an example zone file with an SOA record. |
| RSA public key is less than 1024 bits | Keys shorter than 1024 bits can be broken with consumer devices. A key length of 2048 bits is recommended. | You will need to generate a new Zone Signing Key, using the RSA algorithm, with a key strength greater than or equal to 1024 bits. To avoid a WARN grade on your new key pair, use 2048 bits or greater. See the technical overview of DNSSEC key generation. |
| Zone is not properly signed | This zone either has a signature that fails validation or has a DS record but no DNSKEY. | Generate a new DNSKEY and resubmit the DS record to the parent zone. |
NEUTRAL
These issues don't affect an organization’s Bitsight Security Rating.
| Message | Description | Remediation Instructions |
|---|---|---|
| Parent zone is not signed | The parent zone does not have DNSSEC configured. | |
| DNSSEC is not configured on this domain | This domain is missing a DNSKEY record and therefore cannot be authenticated using DNSSEC. | You will need to set up DNSSEC for your domain, including generating necessary keys and updating DNS zone records accordingly. See this DigitalOcean guide for instructions which may be applicable to your server configuration, as well as dnssec.net for practical documents related to DNSSEC setup. |